Abuse of default passwords has gotten worse since I first posted about it here five years ago.
Threatpost recently posted an article discussing the issue of passwords for IoT (Internet of Things) devices. Because, for example, networked doorbells don’t have a way for the owner to enter a unique, secure password and often communicate unencrypted, attackers can take over single devices or a network of them.
IP cameras and baby monitors have been vulnerable to open access for some time. Web sites (which I will not reveal here) allow people to watch “security” cameras, listen to room monitors, and sometimes disable or redirect cameras and microphones.
Motherboard reported that a hacker was actually able to hack into the control systems of cars and remotely stop them if they were going under twelve miles per hour! His method was simple: he guessed the usernames and tried the default password of 123456 used by a GPS app. That qualifies as scary stuff in my book!
There may be a relief for users of devices manufactured in California. The state has mandated that devices manufactured in 2020 and beyond have unique passwords for each device according to techcrunch. If you are concerned that devices manufactured overseas or in other states on behalf of California companies will not be covered, fear not. The law states “(c) “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” This may be an initial death knell for default passwords.
You can do three things right now:
Sometimes you can’t do anything. Cnet reported on a breach of data impacting 80 million US households. The interesting part of that particular brief was that the data was not protected by any password at all. Here the default was “no password”.
There are two significant issues here: default or no password, and passwords in general. Passwords are so pervasive that I do not see their demise any time soon. Until that time is reached, we need to continue to use good, strong passwords whenever possible and enable other authentication methods when we have the opportunity.
To your safe computing,